Fortigate 60f as vpn server only

cfuson · ‎01-23-2024

I have a fortigate 60F that I used to use for my home lab. I have since replaced it with a different firewall/router (do to cost constraints). I would like to continue using the ssl vpn portion of the fortigate. Can that be done? and if so any instructions on setting it up?

Thanks

cfuson · ‎01-24-2024

I did miss setting the SSL VPN to internal. I set that and I can connect to it from the local network, but not from outside. I did create a NAT rule on my TP Link to forward TCP 443 to the Fortigate but still can not connect. is this a problem with the TP Link at this point?

Toshi_Esumi · ‎01-24-2024

That's why I keep saying you should sniff at the incoming interface like "diag sniffer packet internal 'tcp and port 443'" to determine if the TPLink is forwarding traffic or not.

Toshi

cfuson · ‎01-24-2024

Ah - ok now I understand (sorry) . I will give that a go and let you know what I find - thank you

cfuson · ‎01-24-2024

I ran the sniff and it looks like the request is making it to the fortigate

Note: I replaced the actual IP's with either wanip or lanip

57.400025 wanip.53269 -> lanip.443: syn 1921438064
58.409467 wanip.53269 -> lanip.443: syn 1921438064
60.412520 wanip.53269 -> lanip.443: syn 1921438064

Toshi_Esumi · ‎01-24-2024

Are you limiting the source IPs of SSL VPN clients? You said it worked internally.
And the "wanip" above is on the 60F or on the TPLink?

cfuson · ‎01-24-2024

Not limiting source ip.

wanip is the inet ip address assigned to my phone which I turned wireless off to use mobile data

lanip is the local static ip I assigned to the fortigate

Toshi_Esumi · ‎01-24-2024

If you can share the config "show vpn ssl settings", I might be able to see why. But if it works for local access but doesn't work from the internet without any source IP filtering, you need to run sslvpn debugging.
diag debug app sslvpn -1

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

cfuson · ‎01-24-2024

config vpn ssl settings
set ssl-min-proto-ver tls1-1
set servercert "Fortinet_Factory"
set idle-timeout 28800
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 443
set source-interface "internal"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "GroupSSLVPN"
set portal "full-access"
next
end
end

Toshi_Esumi · ‎01-24-2024

Looks normal using only one group "GroupSSLVPN". You need to run sslvpn debugging. Then compare working one and non-working one.

cfuson · ‎01-30-2024

Sorry I have been MIA - things came up. Anyway, I managed to totally mess it up and could not get into it any longer. I had to do a factory reset and decided to start fresh. I setup the wan1 port on the local network and the SSL/VPN to listen on that port. That got me back to where I was, able to log into the vpn locally and not remotely. the plus side is when I try remotely I do get a lot more noise when checking via "diag sniffer packet wan1 'tcp and port 443'". I will post those results later and run sslvpn debugging as well. Another thing I did notice is that the fortgate does not seem to connect to forticloud as it once did - not sure if that means anything or not.